Terminate a session and log a user off.
Syntax LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V] [/VM] Key sessionname The name of the session. sessionid The ID of the session. servername The Remote Desktop server containing the user session to log off (default is current). /V Verbose - display information about the actions performed. /VM Log off a session on server or within virtual machine. The unique ID of the session needs to be specified.
By default LOGOFF will not ask for any user confirmation or prompt to save any unsaved data. Use the SHUTDOWN /L command if you need that.
Older versions of Logoff only have two options, /f and /n to force running processes to close, or to force with no confirmation.
Windows security log events
Logon Event IDs 528 and 540 = successful logon
Logoff Event ID 538 = logoff
Logon and logoff events also specify a Logon Type code:
Logon Type 2 – Interactive - Log on at the local keyboard / screen (see the event description for a computer name).
Logon Type 3 – Network - connections to shared folders or printers, over-the-network logons, IIS logons( but not basic authentication)
Logon Type 4 – Batch - The Scheduled Task service creates a new logon session for each task.
Logon Type 5 – Service - Each service is configured to run as a specified user account.
Logon Type 7 – Unlock- a password protected screen saver.
Logon Type 8 – NetworkCleartext - a network logon like logon type 3 but where the password was sent over the network in clear text.
Logon Type 9 – NewCredentials - If you use RunAs /netonly and records the logon event with logon type 2.
Logon Type 10 – RemoteInteractive - Terminal Services, Remote Desktop or Remote Assistance.
Logon Type 11 – CachedInteractive - mobile users not connected to the network connecting with cached credentials.
“The man who is tired of London is tired of looking for a parking space” ~ Paul Theroux
SHUTDOWN - Shutdown the computer - can also logoff a user.
psShutdown - SysInternals.